\section{Syntax and Definitions of Group Encryption} \label{GE-model}

We use the syntax and the security model of Kiayias, Tsiounis and Yung \cite{KTY07}. 
The group encryption (\textsf{GE}) primitive involves a sender, a verifier, a group manager~(\textsf{GM}) that manages the group of receivers and an opening
authority~(\textsf{OA}) which is capable of identifying  ciphertexts' recipients.

In the syntax of \cite{KTY07}, a $\GE$ scheme is specified by the description of a
relation $R$ as well as a tuple
$\GE=\bigl(\mathsf{SETUP},\mathsf{JOIN},\langle
  \mathcal{G}_r,R,\mathsf{sample}_{R}
  \rangle,\mathsf{ENC},\mathsf{DEC},\mathsf{OPEN},\langle
\mathcal{P},\mathcal{V} \rangle \bigr)$ of algorithms or protocols.
In details, $\mathsf{SETUP}$ is a set of initialization procedures that all take (implicitly or explicitly) a security parameter $1^\lambda$ as input. We call them
$\mathsf{SETUP}_{\mathsf{init}}(1^\lambda)$,
$\mathsf{SETUP}_{\mathsf{GM}}(\param)$ and
$\mathsf{SETUP}_{\mathsf{OA}}(\param)$. The first one of these procedures
generates a set of public parameters $\param$ (like the KTY construction \cite{KTY07}, we rely on a common reference string even when using interaction between
provers and verifiers). The latter two procedures are used to produce key pairs
$(\pk_{\GM},\sk_{\GM})$, $(\pk_{\OA},\sk_{\OA})$ for the $\GM$ and the
$\OA$. In the following,   $\param$ is incorporated  in the inputs of all algorithms although we sometimes omit to explicitly write it.

$\mathsf{JOIN}=(\mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM})$ is an interactive protocol between the $\GM$ and the prospective user.
After the execution of $\mathsf{JOIN}$, the $\GM$ stores the public key $\pk$ and its certificate $\crt_{\pk}$ in a public directory
$\mathsf{database}$. 
 As in \cite{KY05}, we will restrict this
protocol to have minimal interaction and consist of only two messages: the first one is the user's public key $\pk$ sent by $\mathsf{J}_{\mathsf{user}}$ to $\mathsf{J}_{\GM}$
and the latter's response is a certificate $\crt_{\pk}$ for $\pk$ that makes the user's group membership effective. We do not require the user to prove
knowledge of his private key $\sk$ or anything else about it. In our construction, valid   keys will be publicly recognizable and users will not have to prove
their validity. By avoiding proofs of knowledge of private keys, the security proof never has to
rewind the adversary to extract those private keys, which  allows supporting concurrent joins as
advocated by Kiayias and Yung   \cite{KY05}. If applications demand it, it is possible to add
proofs of knowledge of private keys in a modular way but our security proofs do not require
rewinding the adversary in executions of $\mathsf{JOIN}$. \\
\indent 
Algorithm $\mathsf{sample}_{R}$ allows sampling pairs $(x,w)\in R$ (made of a public value $x$ and a witness $w$) using keys $(\pk_{R},\sk_{R})$ produced by
$\mathcal{G}_r(1^\lambda)$ which samples public/secret parameters for the relation $R$. Depending on the relation, $\sk_{R}$ may be the empty string (as in the scheme \cite{KTY07} and ours  which both involve publicly samplable relations). The testing procedure   $R(x,w)$ uses $\pk_{R}$ to 
return  $1$ whenever $(x,w)\in R$. To encrypt a witness $w$ such that $(x,w) \in R$ for some public $x$, the sender fetches the pair $(\pk,\crt_{\pk})$
from $\mathsf{database}$ and runs the randomized  encryption algorithm. The latter takes as input $w$, a label $L$, the receiver's   pair $(\pk,\crt_{\pk})$ as
well as public keys $\pk_{\GM}$ and $\pk_{\OA}$. Its output is a ciphertext
$\Psi \leftarrow \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$.
On input of the same elements, the certificate $\crt_{\pk}$, the ciphertext $\Psi$ and the random coins $coins_{\Psi}$ that were used to produce  $\Psi$, the
non-interactive algorithm $\mathsf{PP}$ generates a proof $\pi_{\Psi}$ that there exists a certified receiver whose public key was registered in $\mathsf{database}$ and
 who is able to decrypt $\Psi$ and obtain a witness $w$ such that $(x,w) \in R$. The verification algorithm $\mathcal{V}$ takes as input $\Psi$, $\pk_{\GM}$,
$\pk_{\OA}$, $\pi_{\Psi}$  and the description of $R$  and outputs $0$ or $1$. Given $\Psi$, $L$ and the receiver's private key $\sk$, the output of
$\mathsf{DEC}$ is either a witness $w$ such that $(x,w) \in R$ or a rejection symbol $\bot$. Finally,
$\mathsf{OPEN}$ takes as input   a ciphertext/label pair $(\Psi,L)$ and the OA's secret key $\sk_{\OA}$ and returns   a receiver's public key $\pk$.\\
\indent 
The  model of \cite{KTY07} considers four properties termed correctness, message security, anonymity and soundness. 
In the security definitions, stateful oracles capture the adversary's
interaction with the system.  In the soundness game, the KTY model requires
that pk belongs to the language of valid public keys. Here, we are implicitly assuming that the space
of valid public keys is dense (all matrices are valid keys, as is the case in our scheme).

In the upcoming definitions,  we sometimes use the notation
\[ \langle \mathsf{output}_A |\mathsf{output}_B \rangle \allowbreak \leftarrow \langle A(\mathsf{input}_A),B(\mathsf{input}_B) \rangle (\mathsf{common\textrm{-}input}) \]
to denote the execution of a protocol between $A$ and $B$ obtaining their own outputs from their respective inputs.
\medskip

\paragraph{Correctness.}
 The correctness property
requires that the following experiment returns $1$ with overwhelming
probability.

\begin{center}
  \procedure{Experiment $\Expt^{\mathrm{correctness}}(\lambda)$}{
    \mathsf{param} \leftarrow
    \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{R},\sk_{R})
    \gets \mathcal{G}_r (\lambda); (x,w) \leftarrow \mathsf{sample}_{R}
    (\pk_{R},\sk_{R}); \\
    (\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}(\mathsf{param}); (\pk_{\OA},\sk_{\OA}) \leftarrow \mathsf{SETUP}_{\OA}(\mathsf{param});  \\
    \langle \pk,\sk,\crt_{\pk} | \pk,\crt_{\pk} \rangle \leftarrow \langle  \mathsf{J}_{\mathsf{user}},\mathsf{J}_{\GM}(\sk_{\GM})  \rangle (\pk_{\GM}); \\
    \Psi \leftarrow
    \mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L);\\
    \pi_{\Psi} \leftarrow \mathcal{P}(\pk_{\GM},\pk_{\OA},\pk,\crt,w,L,\Psi,coins_{\Psi}); \\
    \pcif \bigl( (w \neq \mathsf{DEC}(\sk,\Psi,L)) \vee ( \pk \neq
      \mathsf{OPEN}(\sk_{\OA},\Psi,L )) \\ \quad \qquad \vee (\mathcal{V}(\Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0)
    \bigr) \pcthen\\
    \pcind \pcreturn 0\\
    \pcelse\\
    \pcind \pcreturn 1; 
 }
\end{center}

\paragraph{Message Secrecy.}
The message secrecy property is defined by an experiment where the adversary has access to oracles
that may be stateful (and   maintain a state across queries) or
stateless:
%These oracles are the following:
\begin{itemize}
\item[-] $\mathsf{DEC}(\sk)$: is a stateless  oracle for the user decryption function
$\mathsf{DEC}$. When this oracle is restricted not to decrypt a
 ciphertext-label pair $(\Psi,L)$, we denote it by
$\mathsf{DEC}^{\neg \langle \Psi, L \rangle}$.
\item[-] $\mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L)$: is a
  real-or-random challenge oracle which is called \textit{once}. It
returns  $(\Psi,coins_{\Psi})$ such that $\Psi \leftarrow
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w,L)$ if $b=1$
whereas, if $b=0$, $\Psi \leftarrow
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},w',L)$ encrypts a
random plaintext   of
length $O(\lambda)$  uniformly sampled in the plaintext space. In both cases, $coins_{\Psi}$ denote the random
coins used to generate $\Psi$.
\item[-]
$\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi})$:
is a stateful oracle that  can be invoked  a polynomial number times. If $b=1$, it  replies by running the real prover $\mathsf{PP}$ on the inputs to
create  an actual proof $\pi_{\Psi}$. If $b=0$, the oracle runs a
simulator $\mathsf{PP}'$ that uses the same inputs as $\mathsf{PP}$  except  witness
$w,coins_{\Psi}$ and generates a simulated proof.
\end{itemize}
These oracles are used in an experiment where the adversary   controls
the $\GM$, the $\OA$ and all members except the honest receiver. The
adversary $\adv$ embodies the dishonest $\GM$ that certifies the honest
receiver in an execution of $\mathsf{JOIN}$. It is granted access to an oracle  $\mathsf{DEC}$ which decrypts on behalf of that receiver. In the
challenge phase, it transmits a state information   $\mathsf{aux}$  to itself and invokes the challenge oracle for a label and a
pair $(x,w) \in R$ of its choice. After the challenge phase, it
can also query the $\mathsf{PROVE}$ oracle  many times
and finally attempts to guess the challenger's bit $b$.\\
\indent As pointed out in \cite{KTY07,CLY09}, designing an efficient
simulator $\mathsf{PP}'$ (for executing $\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(.)$
when $b=0$) is part of the security proof.
\begin{definition} \label{security-def}
  A $\GE$ scheme satisfies \textit{message security}
if, for any PPT adversary $\adv$, the experiment below returns $1$
with probability at most  $1/2 + \mathsf{negl}(\lambda)$.

\begin{center}
\procedure{Experiment $\Expt_{\adv}^{\mathrm{sec}}(\lambda)$}{
   \param \leftarrow \mathsf{SETUP}_{\mathsf{init}}(1^\lambda);  (\mathsf{aux},\pk_{\GM},\pk_{\OA}) \leftarrow \adv(\param); \\
   \langle \pk,\sk,\crt_{\pk} | \mathsf{aux} \rangle
  \leftarrow \langle \mathsf{J}_{\mathsf{user}},\adv(\mathsf{aux}) \rangle
  (\pk_{\GM}); \\
   (\mathsf{aux},x,w,L,\pk_{R}) \leftarrow
  \adv^{\mathsf{DEC}(\sk,.)}(\mathsf{aux});\\
  \pcif (x,w) \not\in R \pcthen\\
  \pcind\pcreturn 0;\\
   b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{ror}}^b(\lambda,\pk,w,L) ; \\
   b' \leftarrow
  \adv^{\mathsf{PROVE}_{\mathsf{PP},\mathsf{PP}'}^b(\pk_{\GM},\pk_{\OA},\pk,\crt_{\pk},\pk_{R},x,w,\Psi,L,coins_{\Psi}),\mathsf{DEC}^{\neg
  \langle \Psi, L \rangle}(\sk,.)}(\mathsf{aux},\Psi) ; \\
   \pcif b=b' \pcthen\\ \pcind\pcreturn 1 \\\pcelse\\ \pcind \pcreturn 0;
}
\end{center}
\end{definition}

\paragraph{Anonymity.}
In the experiment modeling the anonymity property, the adversary
controls the entire system except the opening authority and two well-behaved users.
 The challenger thus introduces two honest users' public keys $\pk_0,\pk_1$ in $\mathsf{database}$ and thus obtains certificate for both $\pk_0,\pk_1$ from the adversarially-controlled $\GM$.
 For a pair $(x,w) \in R$ of its choice, the adversary obtains an encryption of $w$ under $\pk_b$ for some $b\in \bit$ chosen by the challenger.
 The adversary  is provided with decryption oracles w.r.t. both keys $\pk_0,\pk_1$. In addition, it has  the following oracles at disposal:
\begin{itemize}
\item[-] $\mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L)$: is a
  challenge oracle that is only queried once by the adversary. It
returns a pair   $(\Psi,coins_{\Psi})$ consisting of a ciphertext
$\Psi \leftarrow
\mathsf{ENC}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},w,L)$ and the
coin tosses  $coins_{\Psi}$ that were used to generate $\Psi$.
\item[-]
$\mathsf{USER}(\pk_{\GM})$: is a stateful oracle  that obtains  certificates from the adversary by simulating two
executions of $\mathsf{J}_{\mathsf{user}}$   to introduce two honest users
in the group. It uses a string $\mathsf{keys}$ where the outputs $(\pk_0,\sk_0,\crt_{\pk_0})$, $(\pk_1,\sk_1,\crt_{\pk_1})$  of honest users
 are written  as long as the adversarially-supplied certificates $\{\crt_{\pk_d}\}_{d=0}^1$ are valid w.r.t. $\pk_{\GM}$ (i.e., invalid certificates are ignored
by the oracle and no entry is introduced in $\mathsf{keys}$ for them).
\item[-]
$\mathsf{OPEN}(\sk_{\OA},.)$: is a stateless oracle that simulates
the opening algorithm   and, on input of a $\GE$
ciphertext, returns the receiver's public key.
\end{itemize}

   The reason why
the $\mathsf{USER}$ oracle is needed is that both honest users' public keys $\pk_0, \pk_1$ must have been properly
certified by the adversarially-controlled $\mathsf{GM}$ before the challenge phase  because  the adversary subsequently obtains
proofs generated using $(\pk_b,\crt_{\pk_b})$.

\begin{definition} \label{anonymity-def}
  A $\GE$ scheme satisfies \textit{anonymity} if, for any PPT adversary $\adv$, the experiment below returns $1$
with a probability not exceeding  $1/2 + \mathsf{negl}(\lambda)$.
\begin{center}
  \procedure{Experiment $\Expt_{\adv}^{\mathrm{anon}}(\lambda)$}{
    \param \leftarrow
    \mathsf{SETUP}_{\mathsf{init}}(1^\lambda); (\pk_{\OA},\sk_{\OA})
    \leftarrow \mathsf{SETUP}_{\mathsf{OA}}( \param); \\ 
    (\mathsf{aux},\pk_{\GM}) \leftarrow \adv(\param,\pk_{\OA});  
    \mathsf{aux}  \leftarrow
    \adv^{\mathsf{USER}(\pk_{\GM}),\mathsf{OPEN}(\sk_{\OA},.)}
    (\mathsf{aux})  ; \\ 
    \pcif \mathsf{keys} \neq (\pk_0,\sk_0,\crt_{\pk_0},\pk_1,\sk_1,\crt_{\pk_1})(\mathsf{aux})  \pcthen\\
    \pcreturn 0;\\
    (\mathsf{aux},x,w,L,\pk_{R}) \leftarrow
    \adv^{\mathsf{OPEN}(\sk_{\OA},.),
    \mathsf{DEC}(\sk_0,.),\mathsf{DEC}(\sk_1,.)}(\mathsf{aux}); \\
    \pcif (x,w) \not\in R \pcthen\\
    \pcind \pcreturn 0; \\
    b\sample \{0,1\}; ( \Psi,coins_{\Psi} ) \leftarrow \mathsf{CH}_{\mathsf{anon}}^b(\pk_{\GM},\pk_{\OA},\pk_0,\pk_1,w,L) ; \\
    b' \leftarrow
    \adv^{\mathcal{P}(\pk_{\GM},\pk_{\OA},\pk_b,\crt_{\pk_b},x,w,\Psi,L,coins_{\Psi},}
      \\       ^{\mathsf{OPEN}^{\neg \langle \Psi,L \rangle
        }(\sk_{\OA},.),\mathsf{DEC}^{\neg \langle \Psi, L
        \rangle}(\sk_0,.),\mathsf{DEC}^{\neg
    \langle \Psi, L \rangle}(\sk_1,.))}(\mathsf{aux},\Psi) ; \\
    \pcif b=b' \pcthen\\
    \pcind \pcreturn 1\\
    \pcelse\\
    \pcind \pcreturn 0;
  }
\end{center}
\end{definition}

\paragraph{Soundness.}
Here, the adversary creates the group of receivers by interacting with the honest GM.
Its goal is to produce a ciphertext $\Psi$ and a convincing proof
that   $\Psi$ is valid w.r.t. a relation $R$ of its choice but
either: (1) The opening of $\Psi$ reveals a receiver's public key $\pk$ that
does not belong to any group member; (2) The output $\pk$ of
$\mathsf{OPEN}$ is not a valid public key (\textit{i.e.}, $\pk \not\in
\mathcal{PK}$, where $\mathcal{PK}$ is the language of valid public keys); (3) The ciphertext $C$ is   not in the space
$\mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}$ of  valid
ciphertexts. This notion is formalized by a game where the adversary
is given access to a user registration oracle
$\mathsf{REG}(\sk_{\GM},.)$ that simulates $\mathsf{J}_{\GM}$. This oracle
maintains a list $\mathsf{database}$ where registered public keys and
their certificates are stored.

\begin{definition} \label{soundness-def}
  A $\GE$ scheme is \textit{sound} if, for any PPT adversary $\adv$, the experiment below returns $1$
  with negligible probability.
  \begin{center}
    \procedure{Experiment $\Expt_{\adv}^{\mathrm{soundness}}(\lambda)$}{
       \param \leftarrow
      \mathsf{SETUP}_{\mathsf{init}}(1^\lambda);   (\pk_{\OA},\sk_{\OA})
      \leftarrow \mathsf{SETUP}_{\OA}( \param); \\ 
      (\pk_{\GM},\sk_{\GM}) \leftarrow \mathsf{SETUP}_{\GM}( \param);  \\
       (\pk_{R},x,\Psi,\pi_{\Psi},L,\mathsf{aux}) \leftarrow
      \adv^{\mathsf{REG}(\sk_{\GM},.)}(\param,\pk_{\GM},\pk_{\OA},\sk_{\OA});
      \\
       \pcif \mathcal{V}( \Psi,L,\pi_{\Psi},\pk_{\GM},\pk_{\OA})=0 \pcthen\\
       \pcind \pcreturn 0; \\
       \pk \leftarrow \mathsf{OPEN}(\sk_{\OA},\Psi,L); \\
       \pcif \big( (\pk \not\in \mathsf{database} ) \vee (\pk \not \in \mathcal{PK})
        \vee (\Psi \not \in
      \mathcal{C}^{x,L,\pk_{R},\pk_{\GM},\pk_{\OA},\pk}) \big)\pcthen\\
      \pcind \pcreturn 1\\
      \pcelse \\
      \pcind \pcreturn 0;
    }
  \end{center}
\end{definition}

The model of Kiayias \textit{et al.} \cite{KTY07} requires
that $\pk$ belongs to the language of valid public keys, so that the adversary is considered to defeat the soundness property when
$(\Psi,L)$ opens to a key outside the language (i.e.,
$\pk \not \in \mathcal{PK}$). In our scheme, we will assume that the space
of valid public keys is dense in that all matrices of a given dimension are valid public keys, which have an underlying private key.
 We nevertheless use the same definition as \cite{KTY07} in order to emphasize that we are not relaxing the model in any way.











\section{Building Blocks}




\subsection{The Agrawal-Boneh-Boyen IBE Scheme} \label{ap:ABB-IBE}

\subsubsection{Identity-Based Encryption.} \label{ap:IBE}

An IBE scheme is a tuple of efficient algorithms $(\mathsf{Setup}, \mathsf{Extract}_\mathsf{PP}, \mathsf{Encrypt}_\mathsf{PP},$ $\mathsf{Decrypt}_\mathsf{PP})$ such that
\begin{description}
  \item[\textsf{Setup}$(1^\lambda)$:] On security parameter $\lambda$, this algorithm outputs public parameters $\mathsf{PP}$ and a master secret key $\textsf{msk}$.
  \item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Takes as input a master secret key $\textsf{msk}$ and an identity $\ID$ and outputs a secret key $\sk_\ID$.
  \item[\textsf{Encrypt}$_\mathsf{PP}(\ID, M)$:] Given an identity  $\ID$ and a message $M$, it outputs a ciphertext $C$.
  \item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, C)$:] Given a secret key $\sk_\ID$ and a ciphertext $C$, outputs either a decryption error symbol $\bot$, or a message $M$.
\end{description}

\noindent Correctness   requires that, for any   pair $(\mathsf{PP}, \textsf{msk}) \gets \Setup(1^\lambda)$, any   $\ID$ and any message $M$,  we have
$\mathsf{Decrypt}_\mathsf{PP}\bigl(\textsf{Extract}_\mathsf{PP}(\textsf{msk}, \ID), \mathsf{Encrypt}_\mathsf{PP}(\ID, M)\bigr) = M.$
Our proofs rely on the semantic security of the scheme against selective adversaries (\textsf{IND-sID-CPA})
but also on the stronger property of ciphertext pseudo-randomness.  %in Lemma~\ref{ABB-deux}.
Informally, this notions demands that the adversary be unable to distinguish an
encryption of a message of its choice from a random element of the ciphertext space $\mathcal{C}$.  Notice that this property implies \textsf{IND-sID-CPA} security.

\begin{definition}
  \label{de:pseudorand-cipher}
  An IBE scheme has pseudo-random-ciphertexts if no PPT adversary $\adv$ with   access to private key extraction oracle  \textsf{Extract$_\mathsf{PP}(\textsf{msk}, \cdot)$} has non-negligible advantage
  $ \advantage{\mathrm{ROR}}{\adv}{\lambda} =  | \Pr\bigl[ \mathbf{Expt}_{\adv}^\mathrm{ROR} = 1 \bigr] -  \frac 1 2  | $ in the game described in Figure~\ref{fig:expt-ror}

  \begin{figure}
    \centering
    \procedure{Experiment $\Expt^{\mathrm{ROR}}_{\adv}(\lambda)$}{
      \ID^\star \gets \adv(\textsf{id}, \lambda); (\mathsf{PP}, \textsf{msk}) \gets \mathsf{Setup}(1^\lambda);~\\
      M \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}_\textsf{Ch}(\mathsf{PP});\\
      b \sample U(\bit);\\
      \pcif b = 1 \pcthen\\
      \pcind C^\star \gets \mathsf{Encrypt}_\mathsf{PP}(M, \ID^\star) \\
      \pcelse\\
      \pcind C^\star \gets U(\mathcal{C});\\
      b' \gets \adv^{\mathsf{Extract}_\mathsf{PP}(\textsf{msk}, \cdot)}(\textsf{guess},C^\star);\\
      \pcif b = b' \pcthen\\
      \pcind \pcreturn 1\\
      \pcelse \\
      \pcind \pcreturn 0
    }
    \caption{Security experiment for the pseudo-random-ciphertext property for an IBE}
    \label{fig:expt-ror}
  \end{figure}
\end{definition}


\subsubsection{The ABB System.} \label{ap:ABB-desc}

  Agrawal, Boneh and Boyen described~\cite{ABB10}  a compact IBE scheme in the standard  model which allows encrypting multi-bit messages. 
%In
%the description   hereunder,   algorithms \textsf{Extract}, \textsf{Encrypt} and \textsf{Decrypt} have implicit access to the public param
%eters $\mathsf{PP}$ defined in the \textsf{Setup} algorithm.

\begin{description}
  \item[\textsf{Setup}$(1^\lambda)$:] Given a security parameter $\lambda$, choose parameters
	$q, n, \sigma, \alpha$ and define $k =\lfloor \log q \rfloor$,  $\bar{m}= nk$, $m = 2 \bar{m}$  and choose a  noise distribution $\chi$ for $\LWE$.
    \begin{enumerate}
      \item Compute $(\bar{\mathbf A}, \mathbf{T}_{\bar{\mathbf{A}}}) \gets \TrapGen(1^n, 1^m, q)$.
      \item Define $\mathbf{G} = \mathbf{I}_n \otimes [1|2|\ldots |2^{k-1}] \in \ZZ_q^{n \times \bar{m}}$.  Sample matrices $\mathbf B \sample U(\ZZ_q^{ n \times \bar{m}}) $,
			$ \mathbf U \sample U(\Zq^{n \times m})$.
      \item Let $\mathsf{FRD}: \Zq^n \to \Zq^{n \times n}$ be the full-rank difference mapping from~\cite{ABB10}.
        \end{enumerate} Output
         $
          \mathsf{PP}= \bigl(\bar{\mathbf A}, \mathbf B,  \mathbf U \bigr)$ and $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$.

  \item[\textsf{Extract}$_\mathsf{PP}(\textsf{msk}, \ID)$:] Given $\textsf{msk} = \mathbf{T}_{\bar{\mathbf A}}$ and an identity $\ID \in \Zq^n$, do as follows: \smallskip
    \begin{enumerate}
      \item Define the matrix $\mathbf B_\ID = \mathbf B  + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
%\item Use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the dual lattice of the matrix $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right]$.
      \item Let $\mathbf B_{\mathbf A, \ID} = \left[ \mathbf A \mid \mathbf B_\ID \right] \in \ZZ_q^{n \times (m + \bar{m})}$, use $\mathbf T_A$ to compute a delegated basis $\mathbf T_\ID$ for the lattice $\Lambda^\perp(\mathbf B_{\mathbf A, \ID})$.
      \item Use $\mathbf T_\ID$ to sample a small-norm matrix $\mathbf E_\ID \in \ZZ^{(m+ \bar{m}) \times m}$ satisfying the equality $\mathbf B_{\mathbf A, \ID} \cdot \mathbf E_\ID = \mathbf U \bmod q$.
      \item Output $\sk_\ID = \mathbf E_\ID  \in \ZZ^{(m+ \bar{m}) \times m}$. \smallskip \smallskip
    \end{enumerate}
  \item[\textsf{Encrypt}$_\mathsf{PP}(\ID,\mathbf m)$:] Given an identity $\ID$ and a message $\mathbf m \in \bit^m$,   \smallskip
    \begin{enumerate}
      \item Compute the matrix $\mathbf B_\ID = \mathbf B + \mathsf{FRD}(\ID) \cdot \mathbf G \in \Zq^{n \times \bar{m}}$.
      Sample vectors $\mathbf s \sample U(\Zq^n), \mathbf x, \mathbf y \sample \chi^m$, $\mathbf R \sample D_{\ZZ,\sigma}^{m \times \bar{m}}$ and compute
			$\mathbf z = \mathbf R^\top \cdot \mathbf y \in \ZZ^m$.
      \item Compute
        \begin{equation} \label{eq:ABB-c}
          \begin{cases}
            \mathbf c^{(1)} = \bar{\mathbf A}^\top \cdot \mathbf s + \mathbf y \bmod q,\\
            \mathbf c^{(2)} = \mathbf B_\ID^\top \cdot \mathbf s + \mathbf z \bmod q,\\
            \mathbf c^{(3)} = \mathbf U^\top \cdot \mathbf s + \mathbf x + \mathbf m \cdot \left\lfloor \dfrac{q}{2} \right\rfloor.
          \end{cases}
        \end{equation}
      \item Output $\mathbf c = \bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr) \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$. \smallskip \smallskip
    \end{enumerate}
  \item[\textsf{Decrypt}$_\mathsf{PP}(\sk_\ID, \mathbf c)$:] Given $\sk_\ID = \mathbf E_\ID$ and  $\mathbf c=\bigl(\mathbf c^{(1)},\mathbf c^{(2)},\mathbf c^{(3)}\bigr)  \in \ZZ_q^m \times \ZZ_q^{\bar{m}} \times \ZZ_q^m$, compute and output
       % \begin{equation} \label{eq:ABB-dec}
       $   \mathbf m' = \left\lfloor \left( \mathbf c^{(3)} - \mathbf E_\ID \cdot \begin{bmatrix} \mathbf c^{(1)} \\ \mathbf c^{(2)} \end{bmatrix}  \right) \cdot \left\lfloor \dfrac{q}{2} \right\rfloor^{-1}  \right\rceil \in \bit^m .$
      %  \end{equation}
\end{description}
 \smallskip



\begin{theorem}[{\cite[Th. 23]{ABB10}}] \label{ABB-pseudorand-prop}
  The ABB IBE scheme has pseudo-random ciphertexts if the $\LWE_{n,q,\chi}$ assumption holds.
\end{theorem}


%**************************************************